An AMS-IX Story
March 20, 2018
AMS-IX is a member-based, neutral and independent Internet Exchange. Apart from the day-to-day technical operations of the technical platform, AMS-IX also builds and fosters good relationship with the internet community at large. One of our longstanding members we co-operate and innovate together with is: A2B Internet. So, we visited Erik Bais, the owner of A2B Internet and talked about one of his most successful projects to mitigate DDoS-attacks called: The Naughty Port™ Project.
First, many thanks for giving me the opportunity. Let’s get to the essence of The Naughty Port: It is all about predicting from which networks a possible DDoS-attack comes from and then route that bad/naughty traffic to a separate small port. We predict this by looking at how many incorrectly configured servers are present in a certain network. When there are more servers that are incorrectly configured, the higher the chance is that these will be misused during a DDoS-attack.
Let me try to give a little bit of background about DDoS-amplification attacks. Because this is essential in our Naughty Port approach to mitigate DDoS attacks.
Simplified, a DDoS-attack is amplified through various techniques turning a small attack into a much larger attack. You can compare a DDoS attack with a flash-mob at a retail store. Typically, a store has a certain capacity of regular people (let’s say 200 customers) to the store. If someone is organising a flash-crowd to that store with 5000 people, the entry and the store itself get over-crowded and the legitimate customers can’t even get into the store or purchase anything because the store is not designed for that kind of traffic.
If you look at network traffic behaviour and that is what we have done with our Naughty Port Project, we scout where the flash-mob could come from and we can even predict where they are originating from. Let’s say a specific neighbourhood or part of a city. By redirecting those flash-mobs from certain bad or ‘Naughty’ neighbourhoods, into a strict access path you can eliminate their intent and keep the regular customers happy.
And that is what we are also doing with our project. I also would like to point out that: naughty doesn’t necessarily means bad... they might be unaware that they are even participating in a DDoS until someone tells them.
The information about incorrectly configured servers in a network is publically available. We have a partnership for that with a not-for-profit organisation named ShadowServer.org. And each ISP can request their own specific data from them, in order to inform their own customers. At A2B Internet we analyse the global aggregated information per ISP network and put that in a huge database. We created a specific rating to the number of incorrectly configured servers in a network together with the size of the network in IP addresses / customers and use that rating for our peering decisions to build our network.
Based on this information we route undesired/naughty traffic for a network with a high naughty rating to a separate small port on the internet exchange or even deny them to peer with us or exchange traffic via the Internet Exchange to our customers.
On transit links you pay your upstream provider, so you can filter the DDoS traffic before it clogs your network, on an Internet Exchange you cannot do that due to the number of parties on an Internet Exchange. AMS-IX, being one of the largest IXP’s in the world, makes that task even harder. So, you need to decide upfront whom you are going to peer with based on intelligence and data. And that is where the Naughty rating is helping.
DDoS-attacks by itself, are nothing new under the sun… but with the current kind of attacks we need to approach this different than we did in the past. The solution is not adding thicker pipes, more capacity or more boxes. Some ISPs have already reported DDoS-attacks of 1+ Tbps. Most ISP’s cannot grasp the idea of that kind of capacity.
The solution is to inform ISPs that they have a problem in their network and that the ISP community is expecting them to inform their customers, to shut down or patch those vulnerable servers/ devices. Because it is also incorrectly configured IP camera’s or DSL routers that can also be used as a reflective DDoS device, it is not only vulnerable servers / PC’s.
By creating a rating system per network (AS number) we can show peers how they are scoring and if they have a high rating (higher meaning more naughty), they should do their homework. This approach of closing the vulnerable devices will stop them being abused by an attacker and thereby reducing the potential impact of DDoS-attack. If you take away the infected devices, you take away the ammunition of the DDoS cannon.
The goal is to make sure networks become aware of their part in this ecosystem and if they automate their abuse handling towards their customers, this can be solved. And in the meanwhile, we need to make better decisions whom we peer with on an Internet Exchange to provide a safe and secure environment for all our customers.
In the end the internet will be a better place and it will also reduce the amount of capacity ISP’s need to purchase to carry this unwanted DDoS traffic across their backbone.